SECURITY: Expand and improve SSRF Protections (#18815)

See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2025-05-23 19:04:11 +08:00 · 2022-11-01 16:33:17 +00:00
parent 695b44269b
commit 68b4fe4cf8
42 changed files with 1164 additions and 443 deletions
--- a/spec/requests/admin/themes_controller_spec.rb
+++ b/spec/requests/admin/themes_controller_spec.rb
@ -11,6 +11,22 @@ RSpec.describe Admin::ThemesController do
    sign_in(admin)
  end

+  let! :repo do
+    setup_git_repo(
+      "about.json" => { name: "discourse-branch-header" }.to_json,
+    )
+  end
+
+  let! :repo_url do
+    MockGitImporter.register('https://github.com/discourse/discourse-brand-header.git', repo)
+  end
+
+  around(:each) do |group|
+    MockGitImporter.with_mock do
+      group.run
+    end
+  end
+
  describe '#generate_key_pair' do
    it 'can generate key pairs' do
      post "/admin/themes/generate_key_pair.json"
@ -111,8 +127,8 @@ RSpec.describe Admin::ThemesController do
          remote: '    https://github.com/discourse/discourse-brand-header.git       '
        }

-        expect(Theme.allowed_remote_theme_ids.length).to eq(1)
        expect(response.status).to eq(201)
+        expect(Theme.allowed_remote_theme_ids.length).to eq(1)
      end

      it "prevents adding disallowed themes" do